2_24590_Infoblox--Defeating-APT-Malware.pdf
-
Upload
juicy69mann -
Category
Documents
-
view
218 -
download
0
Transcript of 2_24590_Infoblox--Defeating-APT-Malware.pdf
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
1/16
WHITEPAPER
Defeating Advanced Persistent
Threat Malware
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
2/16
WHITEPAPER
Table of Contents
1. Malware is Everywhere 2
1.1. Attacks Can Come From Anywhere 2
1.2. Malware Statistics are Startling 3
1.3. All Malware Is Not Alike 4
1.4. APT Malware Breaches Are Expensive 5
2. APT Malware Requires a New Approach 7
2.1. APT Malware Exploits the DNS Protocol 7
2.2. DNS Security Gap 7
2.3. Solution to APT Malware: A DNS Firewall 8
3. Design Considerations or a DNS Firewall 9
3.1. Security (including Malware) Related Standards Worldwide 9
3.2. Malware-related Standards in the United States 9
3.3. Multi-tier DNS Security 10
4. Combatting APT Malware 11
4.1. An Approach Worth Investigating Inoblox DNS Firewall 11
4.2. How the Solution Works 12
4.3. Meeting Malware-related Security Standards 13
4.4. Meeting Multi-tier Security Requirements 13
4.5. Why the Solution is Unique 14
4.6. Learning More 14
1
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
3/16
Defeating Advanced Persistent Threat Malware
2
1. Malware is Everywhere
1.1. Attacks Can Come From Anywhere
Press headlines are lled by reports o malware attacks. Malware attacks, once
the reserve o amateurs largely or amusement, are now launched by a number o
entities. Today, a malware attack can literally come rom anywhere in the world and
can impact even the largest organization.
Government Cyberwar teams: Governments are alleged to be attacking other
governments entities as well as private companies1.
Hacktivists: Hacker activists (called hacktivists) are utilizing malware attacks as
a orm o protest against government, commercial, and even private web sites2.
Governmentcensororganizations:Certaingovernmentsareallegedlyusing
malware attacks as a orm o censorship. For example, it is suspected that
websites are selectively blocked to prevent social media rom being used to
organize protests and to coalesce public opinion against the government3.
Criminal Elements: Malware attacks upon banks and upon individuals are
executed by criminal elements worldwide4.
RandomIndividuals:Withtheavailabilityoflowcostorevenfreerollyour
own malware kits on the Web5, almost anyone can plan and execute a
malware attack.
Malware is protable: malware is no longer just a un game or script kiddies
or a eld o study or researchers. Today, it is a serious business and source o
revenue or malicious actors and criminals all over the world. Malware, together
with other cyber tools and techniques, provides a low cost, reusable method oconducting highly lucrative orms o cybercrime. 6
Organisation or Economic Co-operation and Development (OECD)
1 Winter, Michael, USA Today, NBC: Iran repor tedly behind cyber attacks on U.S. banks, 09/20/12.
2 Dunn, John E., Computerworld, Hacktivists DDoS UK, US and Swedish Government websites, 9/7/12.
3 Wikipedia, http://en.wikipedia.org/wiki/Internet_censorship_in_the_People%27s_Republic_o_China.
4 Wikipedia, http://en.wikipedia.org/wiki/Botnet
5 Wikipedia, http://en.wikipedia.org/wiki/Webattacker
6 OECD, OECD Guidelines or the Security o Inormation Systems and Networks,
http://www.oecd.org/sti/interneteconomy/15582260.pd, 2002.
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
4/16
WHITEPAPER
3
1.2. Malware Statistics are Startling
Statistics about malware attacks are truly startling due to the number o attacks, the
number o successul attacks, and the time that it takes to discover malware.
The average volume o new malware threats is approximately 7.8 million per quarter
or the rst three quarters o 2012 alone, a rate o 1 new threat per second! During thesame period, malware on mobile devices grew more than 10 old, according to McAee7.
Further, malware attacks are extremely eective. A 2012 Verizon security study8
illustrates that in 2011 alone there were:
Around855successfulbreachesofcorporateorgovernmententitiesthat
compromised around 174 million records.
O the successul breaches, 69% utilized Malware.
7 McAee, McAee Threats Report: Third Quarter 2012,
(http://www.mcaee.com/us/about/news/2012/q3/20120910-01.aspx?cid=110907)
8 Verizon, Verizon Security Study 2012,
(http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pd, 2012)
Source: McAee, 2012.
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
5/16
Defeating Advanced Persistent Threat Malware
4
1.3. All Malware Is Not Alike
There are numerous amilies, classes, subclasses, and variants o malware.
Many sources dier as to the categorization. Also, many types o malware exhibit
characteristicsofmultiplefamiliesandclassesandsocanbedescribedashybrid.
To provide a reerence point or this White Paper, Inoblox has created a classication
system or Malware.
Source: McAee, 2012.
Source: Inoblox, 2013
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
6/16
WHITEPAPER
5
Inoblox considers there to be three major amilies o malware as shown in the
diagram Viruses, Worms, and Trojan Horses. O the Trojan Horses:
One class called IP-exploiting typically uses Internet Protocol (IP) or
communications.
Another class called DNS-exploiting typically exploits Domain Name
Services (DNS) or communications between the malware-inected device and
themastercontrollerofanetworkofinfecteddevices(calledabotnet).
DNS-exploiting Malware typically is designed to remain undetected on servers and
on personal devices over a long time period. Based on commands received rom the
mastercontrollerviabackdoormalware,infecteddeviceswilleithercapturedata(via
spyware malware) or execute actions such as send SPAM emails or participate in a
Distributed Denial o Service (DDoS) attack.
As this type o malware is very sophisticated and is designed to persist over time, a
commonly-used description or this category is Advanced Persistent Threat or APT
Malware. This White Paper will use the term APT Malware or consistency across a
variety o inormation sources.
1.4. APT Malware Breaches Are Expensive
A study by the Ponemon Breach Institute provides some estimated costs or
malware9. In terms o total Malware cost per company, gures are:
A 2011 median cost o $5.9 million dollars annually / average o $8.4 million
annually across all companies and industries studied.
While the study says that the gures may not be wholly trustworthy due to low
sample size, the 2011 cost by industry is estimated to range rom an average oalmost $20 million / year or Deense down to $3 million / year or Retail.
Source: Ponemon Institute, 2012.
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
7/16
Defeating Advanced Persistent Threat Malware
6
APT Malware (categorized as Malicious code in the diagram below) is the most
expensive kind o malware, accounting or approximately 23-26% o the total annual cost.
One actor in the expense o Malware is the length o time that it remains undetected,
particularly by internal stas. The Verizon study10 calculated that:
54% o malware took months to discover
29% o malware took weeks to discover
92% o malware is detected by an external par ty.
Netting out the gures above, it appears that most companies never detect
malware at all much less in a timely manner.
9 Ponemon Institute, Second Annual Cost o Cyber Crime Study,
(http://www.hpenterprisesecurity.com/collateral/report/2011_Cost_o_Cyber_Crime_Study_August.pd),
August 2011.
10 Verizon, Verizon Securit y Study 2012,
(http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pd, 2012).
Ponemon Institute, 2012
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
8/16
WHITEPAPER
2. APT Malware Requires a New Approach
2.1. APT Malware Exploits the DNS Protocol
For the Domain Name System (DNS) protocol to work properly, DNS communications
must fow reely among all devices and applications. Further, since DNS is integral
to the process o establishing and maintaining communications with a web server,
applications such as chat, and mobile device applications, any delays in processing
or potential decreases in availability could easily ripple into a much larger problem. As
a result, DNS commands are typically not intercepted or inspected by existing security
approaches.
By exploiting DNS, malware developers can sidestep existing security approaches:
For example, since network rewalls typically blacklist at the IP address level,
malware master controllers reportedly change their IP addresses hourly either
by rotation on a list or by using techniques such as Fast fux to hide behind a
variety o ever-changing proxy servers11.
Also, since web lter approaches typically work on the exact URL only, by
changing URLs fexibly within a domain, malware circumvents web lter
approaches.
DNS provides a powerul means or locating the botnet master controller and or
transmitting instructions to inected devices. For example, DNS is used to locate the
botnet master controller, even when it changes IP addresses and/or URLs requently.
Also, DNS is used to transmit instructions to the inected devices, via techniques
typically called DNS tunneling or DNS hijacking12.
2.2. DNS Security Gap
Many organizations believe in the concept o layered security. Wikipedia denes
layered security as For every category o threat, there should be an eective control
deployed to mitigate the threat.13 (Security industry analysts also use the term
Deense in Depth to describe this concept. 14) In summary, each network layer
typically has unique vulnerabilities that attackers strive to leverage. Further, dierent
attacks can be directed at the same layer. So, on average, each network layer should
have its own security mechanism that counters its unique vulnerabilities and protects
against all relevant attacks.
11Wikipedia, http://en.wikipedia.org/wiki/Botnet
12 Wikipedia, http://en.wikipedia.org/wiki/DNS_hijacking
13 Wikipedia, http://en.wikipedia.org/wiki/Layered_security
14 Wikipedia, http://en.wikipedia.org/wiki/Deense_in_depth_(computing)
7
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
9/16
Defeating Advanced Persistent Threat Malware
For example, the diagram to the right shows a variety o malware threats and the
corresponding ways in which they are neutralized. For example, many Viruses and
Worms are eectively addressed with antivirus scanning. Also, malware DDoS attacks
can be neutralized within the DNS and/or overall networking architecture. Device
monitoring packages can intercept questionable le downloads.
However, APT malware that exploits DNS or communications cannot be eectively
addressed by existing approaches:
While this capability does not rely on DNS, APT malware deeats signature-
based approaches built into anti-virus packages by techniques such as
repacking15.
Web Filters typically act at the URL level since they are blocking specic content
objects
Firewalls typically act at the IP level since they are blocking specic servers
Data Loss Prevention approaches typically would require numerous, overly
intrusivesensorpointsinthenetworktoenablesniffingofallDNStraffic.
As existing approaches, while highly useul against certain types o malware, are noteective against APT Malware, a new deense must be designed and deployed.
15 Caballero, Juan, et.al., Measuring Pay-per-Install: The Commoditization o Malware Distribution, USENIX
White Paper,
http://static.usenix.org/events/sec11/tech/ull_papers/Caballero.pd, August, 2011.
Hardening Perimeter Monitoring IP-based
Hardened
Appliances, SecureInterconnections,
Consistent Cover-
age Core to Edge
Traditional - Fire-
walls, VPNs,Virus/Trojan
Scanning, DDoS
protection, etc.
Computer
Monitoring Tools -Examine each
command, func-
tion, and setting
Reputation Data
Feeds / WebFilters
MalwareType
Counter
Measures
Not effective sinceMalware leverages
comprehensive,
working infrastructure
Some Malware getsbehind firewall and is
designed to morph
IP, behavior, and file
characteristics
Some Malwareleverages legitimate
commands unde-
tected by computer
monitoring tools
Web Filters and DataFeeds help avoid
Droppers but can not
detect DNS-
exploiting Malware
Virus and Worms
Trojan Horses -IP-based (Adware)
Trojan Horses -
IP-based (Dialers)
Trojan Horses -
IP-based (Droppers)
APT Malware -
DNS-exploiting(Trojan Spywar
& Backdoors)
DNS Security
Defense Gap
Threats
Threats
Threats
Threats
Threats
Layered Security To Combat Malware
8
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
10/16
WHITEPAPER
2.3. Solution to APT Malware: A DNS Firewall
Since the core communications protocol or APT Malware is DNS, an approach baked
into DNS is worthy o exploration. In act, the concept o an embedded malware
security mechanism or DNS called a DNS Firewall was proposed in a recent
Security Week article16.
Unlike a traditional network rewall that protects rom the physical layer going up to
and optionally including the application layer, a DNS Firewall must absolutely include
protection at the application layer as the quality o the actual DNS data must be
protected. To put this need in terms used by network rewalls, there is a strong need
or an Application-level DNS Firewall.
DNS rewalls likely would have prevented the success o more than 80
percent o these attacks.
Security Week
3. Design Considerations for a DNS Firewall
3.1. Security (including Malware) Related Standards Worldwide
The Organisation or Economic Co-operation and Development (OECD) is a group
o 34 countries (including the United Kingdom, Israel, Japan, Korea, and U.S.) that
together strive or economic growth. The 2002 OECD Guidelines or the Security
o Inormation Systems and Networks provide a list o broad inormation security
principles all o which are relevant and applicable to the ght against malware. Thenine principles are Awareness, Responsibility, Response, Ethics, Democracy, Risk
assessment, Security design and implementation, Security management, and
Reassessment17.
3.2. Malware-related Standards in the United States
The National Institute o Standards and Technology (NIST)
is part o the U.S. Dept. o Commerce. A NIST publication,
Guide to Malware Incident Prevention and Handling,
provides specic and targeted recommendations or
malware. Recommendations are summarized below18.
Organizations should develop and implement an
approach to malware incident prevention.
Organizations should ensure that their policies
support the prevention o malware incidents.
Organizations should incorporate malware incident
prevention and handling into their awareness programs.
16 Rasmussen, Rod, Security Week blog, Why DNS Firewalls Should Become the Next Hot Thing in Enterprise Security,
(http://www.securityweek.com/why-dns-rewalls-should-become-next-hot-thing-enterprise-security, October 2011).
9
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
11/16
Defeating Advanced Persistent Threat Malware
Organizations should have vulnerability mitigation capabilities to help prevent
malware incidents.
Organizations should have threat mitigation capabilities to assist in containing
malware incidents.
Organizations should have a robust incident response process capability that
addresses malware incident handling.
3.3. Multi-tier DNS Security
A deense against APT Malware cannot be standalone since it must also resist
attacks rom hackers and rom other types o malware. To illustrate all the deenses
needed within the DNS layer, they are illustrated as tiers o attacks and corresponding
deenses.
DNS Appliance
Application-level
DNS Firewall
Stateful DNS Firewall
Network Side Enterprise Side
DNSSEC, Port Randomization,
and more
Admin Authentication
Hardware/OS Hardening
Malware Infection
DDoS
Man in the Middle
Device Attack
Botnet Commandand Control
DDoS frominternal Zombies
Man in the Middlefrom BYOD
Device Attack
Physical Attack Physical Attack
DNS Security must resist both external and internal attacks
10
17 OECD, OECD Guidelines or the Security o Inormation Systems and Networks,
http://www.oecd.org/sti/interneteconomy/15582260.pd, 2002.
18 National Institute o Standards and Technology, U.S. Dept. o Commerce, Guide to Malware Incident Prevention and
Handling, http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pd, November 2005.
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
12/16
WHITEPAPER
A DNS Security approach must be built on top o a robust security oundation.
Starting at the bottom o the gure to the let:
A DNS appliance must be able to resist both internal and external physical
attacks via hardening o the hardware and the operating system.
Device attacks need to be repelled via advanced administrator authentication
techniques (i.e. TACACS).
Network attacks arising rom hostile devices in the network and/or compromised
Bring Your Own Devices (BYODs) can be overcome via a variety o techniques
such as DNSSEC.
DDoS attacks, including attempts to overload sessions, can be averted via
DDoS techniques and the use o state to clariy which session creation requests
aregenuine.Thisissomewhatequivalenttothefunctionofastatefulnetwork
rewall and so is described as a Stateul DNS Firewall tier o deense.
Moving to the top layer, Malware inection must be proactively prevented and
Botnet command and control instructions, most likely rom inected BYOD
devices, must be disrupted. As these commands can be issued by applications,the unctionality resembles to the unction o a network application rewall. So,
the unctionality to combat APT Malware would be that o an Application-level
DNS Firewall tier o deense.
4. Combatting APT Malware
4.1. An Approach Worth Investigating Inoblox DNS Firewall
Inoblox created a DNS security solution called the Inoblox DNS Firewall based
on its market-leading amily o products Trinzic DDITM. Inoblox believes that this
approach is the industrys rst true DNS security solution.
The Inoblox DNS Firewall solution is composed o:
Product License: The unctionality is pre-installed with the latest release o
Inobloxs Trinzic DDI operating system and only needs a key or activation.
Malware Data Feed rom Inoblox (optional annual subscription): The product
license will accept multiple data eeds. The customer has the option o
subscribing to Inobloxs proprietary malware-specic reputational data eed.
Inoblox GridTM: The solution requires an Inoblox Grid be installed as it leverages
Grid unctions such as automatic le updates, security, and more.
11
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
13/16
Defeating Advanced Persistent Threat Malware
4.2. How the Solution Works
As shown in the gure to the right, the solution works as ollows:
1 When the Inoblox experts detect a new malware, the Inoblox Malware Data
Feed immediately sends an update to our customers.
2 Either directly or by leveraging the Inoblox GridTM, the updated data is sent to all
Inoblox Recursive DNS Servers in near real time.
3 I an end user clicks on a malicious link or attempts to go to a known malware
website, the attempt will be blocked at the DNS level.
4 The session can be redirected to a landing page / walled garden site dened by
the company administrator.
5 For clients that are inected already, very typically user-owned devices, the
inected client will attempt to use DNS commands to communicate with the
botnet master controller. The Inoblox DNS Firewall will not execute these
commands, eectively crippling the botnet.
6 All activities are written to industry-standard Syslog ormat so that the IT team
can either investigate the source o the malware links or cleanse the inectedclient. Data is also ed to the Trinzic Reporting product or analysis and reporting.
Infoblox DNS Firewall/ Recursive DNS Server
Infoblox DNS Firewall/ Recursive DNS Server
Infoblox DNS Firewall
/ Recursive DNS Server
Infected
Client
Write to Syslog andsend to Trinzic Reportin
Landing Page/Walled Garden
Redirect
Malicious link to
www.badsite.com
Contact
Botnet
Block/DisallowSession
ApplyPolicy
DynamicPolicy Update
Dynamic Grid-WidePolicy Distribution
alware Data Feedfrom Infoblox
1
2
3
6
5
4
Operation o the Inoblox DNS Firewall
12
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
14/16
WHITEPAPER
4.3. Meeting Malware-related Security Standards
In addition to the OECD standards, the Inoblox solution ully meets the NIST
standards as summarized in the table below:
4.4. Meeting Multi-tier Security Requirements
As the Inoblox DNS Firewall leverages the security architecture o both the Inoblox
GridTM and Inoblox appliances, the multi-tier security requirements detailed in the
previous section are all provided. Most importantly, since the actual DNS commands
issued by all applications and devices are monitored, the product provides the
protection o an Application-level DNS Firewall.
NIST Standard Infoblox DNS Firewall
Organizations should develop and
implement an approach to malware incident
prevention.
Organizations should ensure that their
policies support the prevention o malware
incidents.
Organizations should incorporate malware
incident prevention and handling into their
awareness programs.
Organizations should have vulnerability
mitigation capabilities to help prevent
malware incidents.
Organizations should have threat mitigation
capabilities to assist in containing malware
incidents.
Organizations should have a robust incident
response process capability that addresses
malware incident handling.
Provides an end to end approach that
proactively prevents inection as well as
execution o Malware, thereore minimizing
or eliminating malware incidents.
Malware policies are automatically updated
via the Inoblox Malware Data Feed.
Policies can also be set or modied by the
security administrator.
The Landing Page / Walled Garden
unctionality is tailor-made or incorporation
into awareness programs.
Vulnerability mitigation is built-in via both
redirection o inected clients and disruption
o botnet communications.
Since botnet communications and sessions
are disrupted, Malware is contained.
All malware activities are logged. With
the use o the Inoblox Reporting Server,
malware reports can also be exported into
IT task lists or malware incident handling
such as cleanup o inected devices.
13
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
15/16
Defeating Advanced Persistent Threat Malware
4.5. Why the Solution is Unique
The Inoblox DNS Firewall provides dierentiating capabilities to Security and
Networking organizations in terms o being Proactive, Timely, and Tunable.
4.5.1. Proactive
The Inoblox DNS Firewall stops clients rom becoming inected by going to a malware
websiteorclickingonamaliciouslink.Further,hijackedDNSCommandandControl
requests are not executed to prevent the botnet rom operating. Lastly, all malware
activities are logged and reported to pinpoint inected clients and attacks.
4.5.2. Timely
The Inoblox DNS Firewall leverages comprehensive, accurate, and current malware
data to detect and resolve malware weeks to months aster than in-house eorts.
The robust data provided by Inoblox is comprehensive in terms o including all
known attacks and very accurate in terms o a very low alse positive rate. Automated
distribution maximizes response timeliness rom Inoblox throughout the customers
Grid in near real-time.
4.5.3. Tunable
The solution is tunable to ensure that all threats can be countered in the customers
unique environment. The solution allows the denition o hierarchical DNS,
NXDOMAIN Redirection, and Malware policies that maximize fexibility. The
administrator has ull control over which policies are enorced by each recursive DNS
server. The Inoblox Malware Data Feed includes several options that enable the
precise matching o data, including geography, to the threats encountered. In addition,
the Inoblox Data Feed can also be combined with multiple internal and external
reputational data eeds.
4.6. Learning More
To learn more, please point your browser to www.inoblox.com/dnsrewall or contact
14
-
7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf
16/16
CORPORATE HEADQUARTERS:
+1.408.625.4200
+1.866.463.6256
(toll-free, U.S. and Canada)
www.infoblox.com
EMEA HEADQUARTERS:
+32 (0)22 590 430
APAC HEADQUARTERS:
+(852) 3793-3428